Cuckoo sandbox report

analeen

New Member
Thread author
Jan 17, 2016
11
As a new user of the sandbox, just got a little bit confused by the report generated by cuckoo...

1. what is the difference between the loaded DLL ( in the behaviour analysis section ) and the imported DLL ( in the static analysis section ) .. shouldn't these be the same ? ( I mean the loaded DLL during the run should be imported first ) ... I've uploaded a report which contain both.

2. Another thing, if i didn't install the tcpdump and didn't give an internet access to the sandbox I should just miss the communication between the malware and the outside world (the packets transmitted basically) but I should still have the domains , ip address and hosts contacted , right ?
 

Attachments

  • report.txt
    130.6 KB · Views: 456

analeen

New Member
Thread author
Jan 17, 2016
11
2. Most malware/binary is the loader/downloader, which is the first phrase of the infection, once executed, they would then download the real payload (encrypt or not). If you don't provide the environment with full internet access, you only get a partial view of the binary. Also many malware download the configuration during the runtime, so those information also provide a more complete view of the malware. Full access is prefer, you get a lot of 0-day malware that way.

Many thanks for your helpful reply ..
I want to analyse a large no. of malware '.exe only' , but if I give cuckoo a full internet access ( host only + forwarding as recommended in cuckoo documentation .. in addition to using a dedicated internet line for this which is not connected to my network) and I run the cuckoo sandbox with my administrator user but without 'sudo' .. ( ./cuckoo.py ) as I wasn't able to configure it and run it as a dedicated normal user
will this affect my system in anyway ( my host is UBUNTU ) ? is there anything I should keep in mind ?
 
Last edited:
L

LabZero

The import library only contains code to load the DLL and to implement calls to functions in the DLL. The presence of an external function in a import library informs the linker that the code for that function is in a DLL. To resolve external references to DLL, the linker simply adds information to the executable file that tells the system where to find the DLL code when the process starts.
If there is no internet connection, many malware such as downloaders can't download the other parts of the malicious code.
With regard to the IP and the contacted hosts It depends on the code implementation: some samples perform the network generation in the presence of a connection, others have it written in the code, but generally to see network traffic is necessary an active connection.
 

analeen

New Member
Thread author
Jan 17, 2016
11
Many thanks Klipsh

The import library only contains code to load the DLL and to implement calls to functions in the DLL. The presence of an external function in a import library informs the linker that the code for that function is in a DLL. To resolve external references to DLL, the linker simply adds information to the executable file that tells the system where to find the DLL code when the process starts.

but sorry I didn't get it yet :(, I understand that importing a library is like telling the executable to use a code that exist in this library and therefor the executable should load this library during the execution in order to use the code ... what I don't understand is why the libraries (that have been imported vs loaded) are different in the cuckoo analysis .. shouldn't they be the same ? it worth mention also that the analysed executable is a benign so there is no evasion technique there ! did I miss something !
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top